Malware Analysis Report

2025-05-05 21:52

Sample ID 221010-jcdj6abcbq
Target Confirmation transfer MT103 copy Ref010102562.js
SHA256 146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84
Tags
asyncrat vjw0rm default rat trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

146ff96668acfa0b36d30bab42321a2cdeccfa9714c8e1cc832741ff1d5c5d84

Threat Level: Known bad

The file Confirmation transfer MT103 copy Ref010102562.js was found to be: Known bad.

Malicious Activity Summary

asyncrat vjw0rm default rat trojan worm

AsyncRat

Vjw0rm

Async RAT payload

Executes dropped EXE

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Drops startup file

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-10 07:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-10 07:31

Reported

2022-10-10 07:33

Platform

win7-20220812-en

Max time kernel

130s

Max time network

143s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer MT103 copy Ref010102562.js"

Signatures

AsyncRat

rat asyncrat

Vjw0rm

trojan worm vjw0rm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\logs.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js C:\Windows\System32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\logs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 1200 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 780 wrote to memory of 1200 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 780 wrote to memory of 1200 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 780 wrote to memory of 2028 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
PID 780 wrote to memory of 2028 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
PID 780 wrote to memory of 2028 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
PID 780 wrote to memory of 2028 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
PID 2028 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 1016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1180 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\logs.exe
PID 1180 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\logs.exe
PID 1180 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\logs.exe
PID 1180 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\logs.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer MT103 copy Ref010102562.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp494.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\logs.exe

"C:\Users\Admin\AppData\Roaming\logs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 fresh02.ddns.net udp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 fresh02.ddns.net udp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
VN 103.74.101.124:2245 fresh02.ddns.net tcp

Files

memory/780-54-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

memory/1200-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js

MD5 91e16cc28847b49a31fa84f5bb95d3e0
SHA1 31cbfcc259966c020e0a6af48fe7ab3f1ed8746b
SHA256 068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19
SHA512 f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

memory/2028-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

memory/2028-61-0x0000000000D00000-0x0000000000D12000-memory.dmp

memory/2028-62-0x0000000076321000-0x0000000076323000-memory.dmp

memory/656-63-0x0000000000000000-mapping.dmp

memory/1180-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp494.tmp.bat

MD5 1e57cae89aaa7b9c0c2716041b87f6b8
SHA1 8e9d8428af46cfcdb1f3ef30c4fcc0666cdea17a
SHA256 0ffec833ed67bc05ec7a298cab97fbed7b575f2e82e40b29be72dc74fa1d2b99
SHA512 6b5a26c7968781a4fcdaeab50a64e0dd50ca57202858b7c014aa497dd709ce59e77d390458f301542a94b715ca52a37e26446fecd214a91b43d88b2d93259b9e

memory/1016-66-0x0000000000000000-mapping.dmp

memory/1444-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\logs.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

\Users\Admin\AppData\Roaming\logs.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

memory/1768-70-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\logs.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

memory/1768-72-0x0000000000A10000-0x0000000000A22000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-10 07:31

Reported

2022-10-10 07:33

Platform

win10v2004-20220812-en

Max time kernel

143s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer MT103 copy Ref010102562.js"

Signatures

AsyncRat

rat asyncrat

Vjw0rm

trojan worm vjw0rm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\logs.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nWINLmmfVH.js C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\logs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 3308 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 552 wrote to memory of 3308 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 552 wrote to memory of 1324 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
PID 552 wrote to memory of 1324 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
PID 552 wrote to memory of 1324 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe
PID 1324 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe C:\Windows\SysWOW64\cmd.exe
PID 340 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 340 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 340 wrote to memory of 3520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 100 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 100 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 100 wrote to memory of 3512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 100 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\logs.exe
PID 100 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\logs.exe
PID 100 wrote to memory of 1276 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\logs.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Confirmation transfer MT103 copy Ref010102562.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js"

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp78FD.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\logs.exe

"C:\Users\Admin\AppData\Roaming\logs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 fresh02.ddns.net udp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
US 93.184.220.29:80 tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
US 8.253.208.113:80 tcp
US 8.253.208.113:80 tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
NL 104.80.225.205:443 tcp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 fresh02.ddns.net udp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
VN 103.74.101.124:2245 fresh02.ddns.net tcp
JP 156.146.35.171:5465 javaautorun.duia.ro tcp
VN 103.74.101.124:2245 fresh02.ddns.net tcp

Files

memory/3308-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\nWINLmmfVH.js

MD5 91e16cc28847b49a31fa84f5bb95d3e0
SHA1 31cbfcc259966c020e0a6af48fe7ab3f1ed8746b
SHA256 068f05236ec0499de55e3875a94989f1cc3ce5091834a09752dc61a3fb447a19
SHA512 f02c263c1f1f6374b1ae9bb5767b8cf8f7c454e2912fb58ced14b9ce8bea5c8a4ec3e1eb48bdc9aae29b572fb723b9b377b458ea5c12b101c175e475cf93b41b

memory/1324-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

C:\Users\Admin\AppData\Local\Temp\AsyncClient02.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

memory/1324-137-0x0000000000FF0000-0x0000000001002000-memory.dmp

memory/1324-138-0x0000000005AE0000-0x0000000005B7C000-memory.dmp

memory/340-139-0x0000000000000000-mapping.dmp

memory/100-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp78FD.tmp.bat

MD5 25ab5e2dc24bbc5c10de8b12930138e3
SHA1 9a476643ba80ba94657b9aec5dac2331e88ffced
SHA256 efc90d7df1e9d907851beebd4aea589c74f38ae47ee86975c69cb94187ee1bbb
SHA512 2d168828a7dde0f4b1fbb5310e88102e2f62f1667f0c89435b513742e7d612a8b8731b9854e525e84f62c265673c69a3ba1d1aa94432e6513ed1936d60702574

memory/3520-142-0x0000000000000000-mapping.dmp

memory/3512-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\logs.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

memory/1276-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\logs.exe

MD5 9e320f6163f8d53462d45fbebc282c64
SHA1 b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512 4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65